The Person with CISA Certification has added advantage in understanding the importance of tool which can analyze the controls, review the security and audit the system quickly and efficiently
Is CISA Certification Valuable For SAP GRC Implementation
The CISA Certification helps the person understand Audit Controls and Security in the IT Systems. This knowledge is useful for SAP GRC Implementation wherein the tool enables you to quickly monitor the SAP Controls Security and audit the System. With the knowledge, IT Controls principles from CISA Certification you effectively communicate with the management and external auditors.
Mapping CISA Modules to SAP GRC Functionality
We are going to look at how what you learn in the CISA Certification can be useful when you are implementing SAP GRC in the SAP Customer for SAP Audit Compliance. We will take each module and map them to the SAP GRC Functionality.
About SAP GRC Tool
SAP GRC Access Control is a tool created to help SAP Customers automate the process of managing SAP users’ access and to monitor SoD risk violations. It allows us to personalize and customize processes related to users’ access management, business roles management, analysis and monitoring of the risk of segregation of duties (SoD), privileged / Emergency access and periodical reviews of access to specific, individual requirements of each enterprise. SAP GRC Access Control is a software that allows you to manage this process in solutions from various developers and various systems e.g SAP HCM, ECC, BW or CRM).
SAP GRC Access Control consists of the following modules:
- Access Risk Analysis (ARA)
- Emergency Access Management (EAM)
- Bussiness Role Management (BRM)
- Access Request Management (ARM)
- User Access Review (UAR)
CISA Domain 1 – The process of auditing
information systems
• IT –audit: definition, basic concepts, goals and
objectives;
• Overview of standards, tools, and approaches
used in IT audit;
• Risks assessment within the audit process;
• Techniques of planning and management of the
audit process;
• Collection of the information and audit evidence
Process Auditing with SAP GRC Implementation
- SAP GRC Tool comes with Standard Out of the box risk ruleset. This will help us perform a Risk assessment of the SAP Systems.
- The Critical and SOD Risk standard reports can be used to perform Security IT Audit of the SAP System
- The Management report within SAP GRC Can help with Planning and management of Audit Process
- The Auditors can download the Risk report and execution logs for audit evidence
Domain 2 – Governance and Management
of IT
• IT strategy, policies, standards, and procedures;
• Risk management within the organization;
• IT governance, organizational structure and
segregation of duties;
• Maturity and process improvement models;
• IS management practices;
• Business continuity planning.
Governance and Management
of SAP Systems
- The Security Policies and procedures can be implemented with SAP GRC
- Risk management can be implemented the SAP GRC Monitoring Functionality
- Segregation of Duties between the production System and Development system can be implemented with Emergency access management
- Moving to Zero Risk Tolerance with Process improvements
Domain 3 – Systems and infrastructure life
cycle management
• Project management practices;
• Methodology and tools for software
development;
• Configuration and releases management;
• Data migration and information systems
implementation;
• Goals and practices of system launch quality
assessment.
SAP Systems and infrastructure life
cycle management
- Follow the Change Control Process to enable and move the changes into SAP GRC System
- Identify all the Custom objects within the SAP Environment from SAP GRC
- Identify people with Configuration and release management capabilities
- Follow best practices during the SAP Security Implementation by monitoring the SAP Users and Roles from SAP GRC
Domain 4 – IT security audit
- Information security controls;
- Access management;
- IT infrastructure security;
- Physical security.
SAP Security audit with SAP GRC
- SAP GRC Risk Ruleset is helpful in Analyzing the Risk in SAP System
- The SAP user Provisioning automation can provision and de-provision users based on approvals
- The Company can periodically perform User access Review
- Any 3rd Party vendors can be given access to SAP System through Elevated access
SAP Auditor with CISA Certification
- Assist the Director of Information Security and Disaster Recovery in maintaining a comprehensive, active and effective information security foundation for the services that the Information Technology provides to our internal and external customers. This involves auditing, monitoring, administration, and remediation of technical controls to meet IT SOX requirements. This position will independently perform a full range of advanced analytical and technical activities in the area of IT Compliance related activities. Essential Functions:
- Assist in the coordination and achievement of IT SOX audit compliance objectives and annual SOC 1 certifications through stakeholder support and timely execution
- Assist with the administration of enterprise user account reviews, including working with application owners, administrators, as well as supporting and coaching business reviewers
- Perform functional security configuration and maintenance tasks for SAP S4, BW/BI/BOBJ, and GRC Access Control System
- Manage and mitigate Segregation of Duty conflicts of both users and roles with Business input using SAP GRC
- Monitor and maintain SAP user IDs across non-production and production landscapes•Create SAP transports and works within change management guidelines ensuring that all transports moved into production maintain system integrity•Administer and maintain end-user accounts, permissions, and access rights in the SAP S4, BW, BPC, BOBJ, and GRC systems
- Responds to suspicious emails reported, analyze for malicious content, log, and report related monthly metrics
- Assists in the execution of the Enterprise Security Program, establishing phishing campaigns and related training, and content development for quarterly newsletters and security metrics reporting •Assist with the coordination of acquired entity IT SOX compliance attainment and integration•Other duties as assigned.
Qualifications & Experience:
•Four-year degree in Information Technology with an information security emphasis – preferred, or equivalent relevant experience.•Preferred, SAP Certified Application Associate – SAP Business Objects Access Control 10.0
•3+ years of experience in any of the following areas: IT SOX Compliance, SAP audit, SAP security design/re-design, SAP GRC Ruleset maintenance
•Hands-on SAP GRC and security implementation; exposure to SAP GRC is preferred
•Proven experience, clarity, and courage to drive an agenda with the ability to influence without direct authority. Knowledge, Skills, and Abilities: •Ability to demonstrate a general knowledge of information security concepts (malware, virus, threats, confidentiality).
•Advanced Excel analytical skills
•Knowledge in HANA database role configuration and user administration
•Self-motivated and directed, with keen attention to detail.
•Familiar with an international and multi-cultural environment
•Ability to work in a team-oriented environment.
•Strong analytical and critical thinking skills that facilitate research leading to rapid solutions of problems
•Ability to routinely multi-task between the tactical and the strategic: the ability to work with flexibility, efficiency, enthusiasm, and diplomacy both individually and as part of a complex team effort. Physical Requirements:
•Requires the ability to sit for long periods of time, with frequent interruptions
•Requires several hours per day of sitting, getting up and down from chairs, and reaching, or bending
•Requires manual dexterity with normal hand and finger movements for typical office work
•Talking, hearing, and seeing are important elements of completing assigned tasks
•May require travel by car and/or plane for business
•May require a visit to facility operations in temperatures at or below freezing
•May carry loads related to travel and occasionally lifts, carries, positions, or moves objects weighing up to 20 pounds
•Requires the performance of work activities including reasoning, negotiating, instructing, persuading, or speaking with others; and respond appropriately to constructive feedback from executive management